ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1162147 - in /webservices/wss4j/trunk/src/main/java/org/apache/ws/security: message/token/SecurityTokenReference.java str/SecurityTokenRefSTRParser.java str/SignatureSTRParser.java
Date Fri, 26 Aug 2011 15:54:15 GMT
Author: coheigea
Date: Fri Aug 26 15:54:15 2011
New Revision: 1162147

URL: http://svn.apache.org/viewvc?rev=1162147&view=rev
Log:
[WSS-307] - Changing the Signature and RefList STR Parsers to check for a symmetric key in
the CallbackHandler first

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=1162147&r1=1162146&r2=1162147&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
Fri Aug 26 15:54:15 2011
@@ -312,7 +312,8 @@ public class SecurityTokenReference {
         //
         if (cb != null && (WSConstants.WSC_SCT.equals(type)
             || WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type) 
-            || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(type))) {
+            || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(type)
+            || KerberosSecurity.isKerberosToken(type))) {
             //try to find a custom token
             WSPasswordCallback pwcb = 
                 new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1162147&r1=1162146&r2=1162147&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
Fri Aug 26 15:54:15 2011
@@ -98,28 +98,29 @@ public class SecurityTokenRefSTRParser i
         if (result != null) {
             processPreviousResult(result, secRef, data, parameters, wsDocInfo, bspCompliant);
         } else if (secRef.containsReference()) {
-            Element token = 
-                secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
-            QName el = new QName(token.getNamespaceURI(), token.getLocalName());
-            if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
-                Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
-                List<WSSecurityEngineResult> bstResult =
-                        proc.handleToken(token, data, wsDocInfo);
-                BinarySecurity bstToken = 
-                        (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                if (bspCompliant) {
-                    BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
-                }
-                secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
-            } else {
-                Reference reference = secRef.getReference();
-                // Try asking the CallbackHandler for the secret key
-                secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
-                if (secretKey == null) {
-                    throw new WSSecurityException(
-                        WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[]
{uri}
-                    );
-                }
+            Reference reference = secRef.getReference();
+            // Try asking the CallbackHandler for the secret key
+            secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
+            if (secretKey == null) {
+                Element token = 
+                    secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+                QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+                if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
+                    List<WSSecurityEngineResult> bstResult =
+                            proc.handleToken(token, data, wsDocInfo);
+                    BinarySecurity bstToken = 
+                            (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                    if (bspCompliant) {
+                        BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
+                    }
+                    secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+                } 
+            }
+            if (secretKey == null) {
+                throw new WSSecurityException(
+                    WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[] {uri}
+                );
             }
         } else if (secRef.containsKeyIdentifier()) {
             String valueType = secRef.getKeyIdentifierValueType();
@@ -153,6 +154,11 @@ public class SecurityTokenRefSTRParser i
                     getSecretKeyFromToken(
                         secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(),
data
                     );
+                if (secretKey == null) {
+                    throw new WSSecurityException(
+                        WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[]
{uri}
+                    );
+                }
             }
         } else {
             throw new WSSecurityException(WSSecurityException.FAILED_CHECK, "noReference");
@@ -222,7 +228,10 @@ public class SecurityTokenRefSTRParser i
             new WSPasswordCallback(id, null, type, WSPasswordCallback.SECRET_KEY, data);
         try {
             Callback[] callbacks = new Callback[]{pwcb};
-            data.getCallbackHandler().handle(callbacks);
+            if (data.getCallbackHandler() != null) {
+                data.getCallbackHandler().handle(callbacks);
+                return pwcb.getKey();
+            }
         } catch (Exception e) {
             throw new WSSecurityException(
                 WSSecurityException.FAILURE,
@@ -232,7 +241,7 @@ public class SecurityTokenRefSTRParser i
             );
         }
 
-        return pwcb.getKey();
+        return null;
     }
     
     /**

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1162147&r1=1162146&r2=1162147&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Fri Aug 26 15:54:15 2011
@@ -32,6 +32,7 @@ import org.apache.ws.security.components
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.message.token.DerivedKeyToken;
+import org.apache.ws.security.message.token.Reference;
 import org.apache.ws.security.message.token.SecurityContextToken;
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.ws.security.message.token.UsernameToken;
@@ -120,68 +121,71 @@ public class SignatureSTRParser implemen
         if (result != null) {
             processPreviousResult(result, secRef, data, parameters, bspCompliant);
         } else if (secRef.containsReference()) {
-            Element token = 
-                secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
-            QName el = new QName(token.getNamespaceURI(), token.getLocalName());
-            if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
-                Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
-                List<WSSecurityEngineResult> bstResult =
-                    proc.handleToken(token, data, wsDocInfo);
-                BinarySecurity bstToken = 
-                    (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                if (bspCompliant) {
-                    BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
-                }
-                certs = (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
-                secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
-                principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
-            } else if (el.equals(WSSecurityEngine.SAML_TOKEN) 
-                || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
-                Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
-                //
-                // Just check to see whether the token was processed or not
-                //
-                Element processedToken = 
-                    secRef.findProcessedTokenElement(
-                        strElement.getOwnerDocument(), wsDocInfo, 
-                        data.getCallbackHandler(), uri, secRef.getReference().getValueType()
-                    );
-                AssertionWrapper assertion = null;
-                if (processedToken == null) {
-                    List<WSSecurityEngineResult> samlResult =
+            Reference reference = secRef.getReference();
+            // Try asking the CallbackHandler for the secret key
+            secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
+            principal = new CustomTokenPrincipal(uri);
+            
+            if (secretKey == null) {
+                Element token = 
+                    secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+                QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+                if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
+                    List<WSSecurityEngineResult> bstResult =
                         proc.handleToken(token, data, wsDocInfo);
-                    assertion = 
-                        (AssertionWrapper)samlResult.get(0).get(
-                            WSSecurityEngineResult.TAG_SAML_ASSERTION
+                    BinarySecurity bstToken = 
+                        (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                    if (bspCompliant) {
+                        BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
+                    }
+                    certs = (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+                    secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+                    principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                } else if (el.equals(WSSecurityEngine.SAML_TOKEN) 
+                    || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
+                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
+                    //
+                    // Just check to see whether the token was processed or not
+                    //
+                    Element processedToken = 
+                        secRef.findProcessedTokenElement(
+                            strElement.getOwnerDocument(), wsDocInfo, 
+                            data.getCallbackHandler(), uri, secRef.getReference().getValueType()
                         );
-                } else {
-                    assertion = new AssertionWrapper(processedToken);
-                    assertion.parseHOKSubject(data, wsDocInfo);
-                }
-                if (bspCompliant) {
-                    BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
-                }
-                SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
-                X509Certificate[] foundCerts = keyInfo.getCerts();
-                if (foundCerts != null) {
-                    certs = new X509Certificate[]{foundCerts[0]};
-                }
-                secretKey = keyInfo.getSecret();
-                principal = createPrincipalFromSAML(assertion);
-            } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
-                if (bspCompliant) {
-                    BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+                    AssertionWrapper assertion = null;
+                    if (processedToken == null) {
+                        List<WSSecurityEngineResult> samlResult =
+                            proc.handleToken(token, data, wsDocInfo);
+                        assertion = 
+                            (AssertionWrapper)samlResult.get(0).get(
+                                WSSecurityEngineResult.TAG_SAML_ASSERTION
+                            );
+                    } else {
+                        assertion = new AssertionWrapper(processedToken);
+                        assertion.parseHOKSubject(data, wsDocInfo);
+                    }
+                    if (bspCompliant) {
+                        BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+                    }
+                    SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
+                    X509Certificate[] foundCerts = keyInfo.getCerts();
+                    if (foundCerts != null) {
+                        certs = new X509Certificate[]{foundCerts[0]};
+                    }
+                    secretKey = keyInfo.getSecret();
+                    principal = createPrincipalFromSAML(assertion);
+                } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+                    if (bspCompliant) {
+                        BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+                    }
+                    Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
+                    List<WSSecurityEngineResult> encrResult =
+                        proc.handleToken(token, data, wsDocInfo);
+                    secretKey = 
+                        (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+                    principal = new CustomTokenPrincipal(token.getAttribute("Id"));
                 }
-                Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
-                List<WSSecurityEngineResult> encrResult =
-                    proc.handleToken(token, data, wsDocInfo);
-                secretKey = 
-                    (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
-                principal = new CustomTokenPrincipal(token.getAttribute("Id"));
-            } else {
-                String id = secRef.getReference().getURI();
-                secretKey = getSecretKeyFromToken(id, null, data);
-                principal = new CustomTokenPrincipal(id);
             }
         } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
             X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
@@ -315,7 +319,10 @@ public class SignatureSTRParser implemen
             new WSPasswordCallback(id, null, type, WSPasswordCallback.SECRET_KEY, data);
         try {
             Callback[] callbacks = new Callback[]{pwcb};
-            data.getCallbackHandler().handle(callbacks);
+            if (data.getCallbackHandler() != null) {
+                data.getCallbackHandler().handle(callbacks);
+                return pwcb.getKey();
+            }
         } catch (Exception e) {
             throw new WSSecurityException(
                 WSSecurityException.FAILURE,
@@ -325,7 +332,7 @@ public class SignatureSTRParser implemen
             );
         }
 
-        return pwcb.getKey();
+        return null;
     }
     
     /**



Mime
View raw message